August 19, 2019

posted on Monday, August 19, 2019 at 9:24 AM

Did Facebook know about “View As” bug before 2018 breach?

By Lisa Vaas

A recent court
filing indicates that Facebook knew about the bug in its View As feature
that led to the 2018
data breach – a breach that would turn out to affect nearly 29 million
accounts – and that it protected its employees from repercussions of that bug,
but that it didn’t bother to warn users.

There was a class
action lawsuit – Carla
Echavarria and Derrick Walker v. Facebook, Inc. – filed
within hours of Facebook’s revelations last September that attackers had
exploited a vulnerability in its “View As” feature to steal access tokens: the
keys that allow you to stay logged into Facebook so you don’t need to re-enter
your password every time you use the app.

Reuters
reports that the lawsuit in question actually combined several legal actions,
presumably including the one filed on the same day as Facebook disclosed the
breach.

The breach

As Naked
Security’s Paul Ducklin explained
at the time, the View As feature lets you preview your profile as other
people would see it.

This is supposed
to be a security feature that helps you check whether you’re oversharing
information you meant to keep private. But crooks figured out to how to exploit
a bug (actually, a combination of three different bugs) so that when they
logged in as user X and did View As user Y, they essentially became
user Y. From Paul:

If user Y was logged
into Facebook at the time, even if they weren’t actually active on the site,
the crooks could recover the Facebook access token for user Y, potentially
giving them access to lots of data about that user.

That’s exactly
what attackers did: they took the profile details belonging to some 14 million
users, including birth dates, employers, education history, religious
preference, types of devices used, pages followed and recent searches and
location check-ins.

Netflix has identified
several denial of service (DoS) flaws in numerous implementations of HTTP/2, a
popular network protocol that underpins large parts of the web. Exploiting them
could make servers grind to a halt.

HTTP/2 is the
latest flavour of HTTP, the application protocol that manages communication
between web servers and clients. Released in 2015, HTTP/2 introduced several
improvements intended to make sessions faster and more reliable.

Updates included:

HTTP header compression. In previous HTTP versions, only the
body of a request could be compressed, even though for small web pages the
headers, which often include data such as cookies and are always sent in
text format, could be bigger than the body.

Multiplexed streams and binary
packets. This made
it easier to download multiple items in parallel, speeding up rendering of
web pages made up of many parts.

Server Push. This means the server can send across
cacheable information that the client might need later, even if it hasn’t
been requested yet.

Features like
these can help reduce latency and improve search engine rankings. The problem
is that more complexity means more opportunity for bugs.

Netflix explains
this in its writeup of the issue:

The algorithms
and mechanisms for detecting and mitigating “abnormal” behavior are
significantly more vague and left as an exercise for the implementer. From a
review of various software packages, it appears that this has led to a variety
of implementations with a variety of good ideas, but also some weaknesses.

There are eight
of those weaknesses, all with their own separate CVE number and nickname.

Security
researchers have reviewed security advisories for Apache Struts and found that
two dozen of them inaccurately listed affected versions for the open-source
development framework.

The advisories
have since been
updated to reflect vulnerabilities in an additional 61 unique versions of
Struts that were affected by at least one previously disclosed vulnerability
but left off the security advisories for those vulnerabilities.

The extensive
analysis was done by the Black Duck Security Research (BDSR) team of Synopsys’
Cybersecurity Research Center (CyRC), which investigated 115 distinct releases
for Apache Struts and correlated those releases against 57 existing Apache
Struts Security Advisories covering 64 vulnerabilities.

Synopsys’
Tim Mackey said in a blog post on Thursday that the danger isn’t that
developers and users may have upgraded needlessly. Rather, the real danger is
that needed updates may not have happened:

While our
findings included the identification of versions that were falsely reported as
impacted in the original disclosure, the real risk for consumers of a component
is when a vulnerable version is missed in the original assessment. Given that
development teams often cache ‘known good’ versions of components in an effort
to ensure error-free compilation, under-reporting of impacted versions can have
a lasting impact on overall product security.

Case in point:
Equifax

Promptly patching
security vulnerabilities in Apache Struts is a vital task: you can ask Equifax
all about possible ramifications of failing to do so. Equifax blamed
a nasty server-side remote code execution (RCE) bug (CVE-2017-5638) for
the massive
data breach of 2017. The patch had been available for months before the
breach, it turned out, but Equifax hadn’t applied it.

Recent news
stories about mobile phone security – or, more precisely, about mobile phone insecurity
– have been more dramatic than usual.

That’s because
we’re in what you might call “the month after the week before” – last week
being when the annual Black Hat USA conference took place in Las Vegas.

A lot of detailed
cybersecurity research gets presented for the first time at that event, so the
security stories that emerge after the conference papers have been delivered
often dig a lot deeper than usual.

…of which a
whopping 7,000,000 were phones delivered with the malware
preinstalled, inadvertently bundled in along with the many free apps that
some vendors seem to think they can convince us we can’t live without.

No more stashing
your Nest security cameras in the bushes to catch burglars unaware: Google
informed users on Wednesday that it’s removing the option to turn off the
status light that indicates when your Nest camera is recording.

You can still dim
the light that shows when Google’s Nest, Dropcam, and Nest Hello cameras are on
and sending video and audio to Nest, Google said, but you can’t make it go away
on new cameras. If the camera is on, it’s going to tell people that it’s on –
with its green status light in Nest and Nest Home and the blue status light in
Dropcam – in furtherance of Google’s
newest commitment to privacy.

Google introduced
its new privacy commitment at its I/O 2019 developers conference in May, in
order to explain how its connected home devices and services work.

The setting that
enabled users to turn off the status light is being removed on all new cameras.
When the cameras’ live video is streamed from the Nest app, the status light
will blink. The update will be done over-the-air for all Nest cams: Google’s
update notice said that the company was rolling out the changes as of
Wednesday, 14 August 2019.

A UK man who DDoS-ed
police websites was caught and imprisoned after he jeered at police about the
attacks on social media.

Liam Reece Watts,
20, targeted the Greater Manchester Police (GMP) website in August 2018 and
then the Cheshire Police site in March 2019, according to ITV
News. Both of the public-facing websites were each disabled for about a
day, The
Register reported.

According to news
outlets and Watts’s Twitter posts, the distributed denial-of-service (DDoS)
attacks were done in retaliation for Watts having been convicted of calling in
bomb hoaxes just days after the 2017
Manchester Arena suicide attack left 22 people dead and 500 injured.

Watts, who was 19
at the time of the DDoS attacks, was caught after he taunted police through
Twitter. He used the handle Synic: a possible reference to SYN flood, which is a type
of DoS attack in which servers are swamped with SYN – i.e., synchronize –
messages.

Watts reportedly
wrote this in one of his tweets:

@Cheshirepolice
want to send me to prison for a bomb hoax I never did, here you f****** go,
here is what I’m guilty of.

Watts reportedly
posted that tweet while police were still investigating the first DDoS attack
on the GMP site in 2018, and before he unleashed the March 2019 attack on the
Cheshire Police site.

He reportedly
admitted to carrying out the attack after police searched his home.

ACS

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880863-229-4244

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.

Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC. We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.